Security needs to be designed in from the ground up, it should never be added as an after-thought.
Embedded Systems need to have secure attack windows closed (e.g. remove Telnet and FTP), as well as a clear strategy for storing per device unique private keys.
Once the system is nearing completion, penetration testing should be conducted to determine what weaknesses exist in the system, and patches should be regularly monitored and applied.
See examples of past client successes.